Post on 09-Mar-2018
BRKMPL-2105
I-AS MPLS Solutions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2
The Prerequisites
Must understand basic IP routing
Familiar with MPLS Architectures
Familiar with MPLS Applications
Some level of MPLS network Design/Deployment Experience
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
Agenda
Inter-AS NetworksInter-AS Connectivity Models
Inter-AS L3 VPNs
Inter-AS L2VPNs
Inter-AS Multicast VPNs
Carrier Supporting Carrier
CSC Service Models
MPLS L3 VPNs
Multicast VPNs
MPLS L2 VPNs
Inter-AS Traffic Engineering
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4
Inter-Provider MPLS Solutions
To interconnect multiple independently managed MPLS DomainsFast geographic service coverage expansion
Two MPLS VPN Providers peering to cover for a common customer base
Support original multi-domain network designIGP isolation with service continuity
Interconnect BGP confederations with different IGPs in the same AS
Two models available:1.Carrier Supporting Carrier (CSC)
2.Inter-Autonomous Systems (I-AS)
AS3AS2AS1Subscriber1Subscriber1
SubscriberN SubscriberN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 5
Carrier Supporting Carrier vs. Inter-AS
CSC Client-Server model IP/MPLS Carrier is a customer of
another MPLS backbone provider IP/MPLS Carrier doesn’t want to
manage own backbone Only the backbone provider is
required to have MPLS VPN core Customer Carriers do not
distribute their subscribers’ VPN info to the backbone carrier
Inter-AS Peer-Peer model SPs provide services to the
common customer base Single SP POPs not available in
all geographical areas required by their subscribers/customers
Both SPs must support MPLS VPNs
Subscriber VPN information shared between peering SPs (ASs)
MPLS Backbone Provider
Customer Carrier-B
Customer Carrier-B
Subscriber A Site1
Subscriber A Site1
Subscriber A Site1
Subscriber A Site2
Provider-A Provider-BASBR-A ASBR-B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 6
I-AS L3 VPNsOverview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 7
Inter-AS VPNv4 Distribution Options
VPN-R1 VPN-R2
PE22
CE2 CE1
AS #1 AS #2
PE11
MP-eBGP for VPNv4
Multihop MP-eBGP between RRs
Back-to-Back VRFsASBR1 ASBR2
How to Distribute VPN Routes between ASBRs?
VPN Sites Attached to Different MPLS VPN Service Providers
Option AB
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 8
Each ASBR Thinks the Other Is a CE
Inter-AS VPN—Option ABack-to-Back VRFs
One logical interface per VPN on directly connected ASBRs
Packet is forwarded as an IP packet between the ASBRs
Link may use any supported PE-CE routing protocol
IP QoS policies negotiated and configured manually on the ASBRs
Option A is the most secure and easiest to provision
May not be easy to manage as #s of VPNs grow
AS1PE-ASBR1
PE1
P1
Use VPN label 40 Unlabeled IP Packets
AS2PE-ASBR2
PE2
P2
Use VPN label 80
P1
IP IP 40 P1 IP 42 IP IPIP 80 P2 IP 80
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
AS #1 AS #2PE1
PE2
VPN-R1
CE1 CE2
VPN-R2
ASBR1
152.12.4.0/24
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE2
VPN-v4 update:RD:1:27:152.12.4.0
/24, NH=PE1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=ASBR2RT=1:222, Label=(L3)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2
Inter-AS VPN—Option BSetting up Control Plane
ASBR2
All VPNv4 Prefixes/Labels from PEs Distributed to PE-ASBRs
VPN-v4 update:RD:1:27:152.12.4.0
/24, NH=ASBR1RT=1:222, Label=(L2)
eBGP for VPNv4
Label Exchangebetween GatewayPE-ASBR Routers
Using eBGP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 10
Inter-AS VPN—Option BKey Points
PE-ASBRs exchange routes directly using eBGP External MP-BGP for VPNv4 prefix exchange;
MP-BGP session with NH to advertising PE-ASBRNext-hop and labels are rewritten when advertised across the inter-provider MP-BGP session
Receiving PE-ASBR automatically creates a /32 host route to a peer ASBR
Which must be advertised into receiving IGP if next-hop-self is not in operation to maintain the LSP
PE-ASBR stores all VPN routes that need to be exchangedBut only within the BGP table
No VRFs; labels are populated into the LFIB of the PE-ASBR
ASBR-ASBR link must be directly connected!!!!!! Could use GRE tunnel-considered directly connected
Receiving PE-ASBRs may allocate new labelControlled by configuration of next-hop-self (default is off)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 11
ASBR1 ASBR2
152.12.4.1
152.12.4.1L3
L2 152.12.4.1
152.12.4.1 L1
152.12.4.1
PE1
VPN-R1
CE1
152.12.4.0/24
PE2
CE2
VPN-R2
Inter-AS VPN—Option BPacket Forwarding between MPLS VPN AS
AS #1 AS #2
Note: The outer most core (IGP labels in an AS) label is not displayed in this presentation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 12
PE1 PE2
AS #1 AS #2
CE1
VPN-R1 VPN-R2
CE2
ASBR1 ASBR2
eBGP for VPNv4
Inter-AS VPN—Option BCisco IOS Configuration
!router bgp 1neighbor <ASBR2> remote-as 2neighbor <PE1> remote-as 1neighbor <PE1> update-source loopback0no bgp default route-target filter!address-family vpnv4neighbor <PE1> remote-as 1 activateneighbor <PE1> remote-as 1 next-hop-selfneighbor <ASBR2> remote-as 2 activateneighbor <ASBR2> remote-as 2 send-community extended
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 13
PE1AS #1 AS #2
ASBR2
eBGP IPv4 + Labels IGP + LDP
Inter-AS VPN—Option CMulti-hop eBGP VPNv4 between RRs
Eliminates LFIB duplication at ASBRs. ASBRs don’t hold VPNv4 prefix/label info.
ASBRs Exchange PE loopbacks (IPv4) with labels as these are BGP NH addresses
Two Options for Label Distribution for BGP NH Addresses: IGP + LDP OR BGP IPv4 + Labels (RFC3107)
BGP exchange Label Advertisement Capability - Enables end-end LSP Paths
Subsequent Address Family Identifier (value 4) field is used to indicate that the NLRIcontains a label
Disable Next-hop-self on RRs
RR2RR1 Exchange VPNv4 Routes
ASBR1
PE2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 14
VPN-R1
CE1CE2
VPN-R2
ASBR1
RR2
ASBR2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE2
BGP VPNv4 update:RD:1:27:152.12.4.0/24,NH=PE1RT=1:222, Label=(L1)
BGP VPN-v4 update:RD:1:27:152.12.4.0/24, NH=PE1RT=1:222, Label=(L1)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2
PE1 PE2
I-AS VPN—Option CSetting up Control Plane
AS #1
BGP update:RD:1:27:152.12.4.0/24,NH=PE1RT=1:222, Label=(L1)
To ASBR2:Network=PE1 NH=ASBR-1Label=(L2)
From ASBR1:Network=PE1 NH=ASBR-2Label=(L3)
152.12.4.0/24
RR1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
VPN-R1
CE1 CE2
VPN-R2
ASBR1
RR2
ASBR2
RR1
PE1
152.12.4.1
L2 L1 152.12.4.1
152.12.4.1
I-AS VPN—Option CForwarding Plane
PE2
L1L3 152.12.4.1152.12.4.1L1
152.12.4.0/24
Note: The diagram does not display an outer most core (IGP labels in an AS) label
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 16
ASBR1
RR2
ASBR2
RR1
PE1PE2
I-AS VPN—Option CIPv4+Label, Cisco IOS Configuration
!address-family ipv4neighbor <RR1> activateneighbor <RR1> send-label!
!router bgp 1neighbor <RR2> ebgp-multihop 255!address-family ipv4neighbor <RR2> activate
neighbor <PE1> activateneighbor <PE1> send-label
neighbor <ASBR1> activateneighbor <ASBR1> send-label!address-family vpnv4neighbor <RR2> next-hop-unchangedexit-address-family!
!address-family ipv4neighbor <ASBR2> activateneighbor <ASBR2> send-label
neighbor <RR1> activateneighbor <RR1> next-hop-selfneighbor <RR1> send-label!
AS #1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 17
Inter-AS Multipath Load Balance Options
Support VPNv4 and label negotiated IPv4 eBGP sessions between loopbacks of directly connected routers w/o the use of LDP on the connecting interfaces
Consider the three topologies –Designated by Topo-1, Topo-2, Topo-3
Load balancing for Inter-AS sub-cases with:
1. Interface Peering2. Loopback peering3. IPv4 + Label4. VPNv4 + Label
ASBR1
ASBR1
ASBR3
ASBR2
ASBR2
Topo-1
Topo-2
Topo-3
AS1 AS2
ASBR1
ASBR3ASBR4
ASBR2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 18
Inter-AS Loopback Peering for Directly Connected ASBRs
HOSTNAME ASBR2!interface e0/0ip address 168.192.0.2 255.255.255.252 mpls bgp forwarding ! Enable BGP forwarding on connecting interfaces
!interface e2/0ip address 168.192.2.2 255.255.255.252 mpls bgp forwarding!router bgp 2neighbor 10.10.10.10 remote-as 1neighbor 10.10.10.10 disable-connected-check neighbor 10.10.10.10 update-source Loopback0!
PE2PE1 AS #1AS #2
RR2RR1
ASBR-1ASBR-2
E0/0: 168.192.0.1
E2/0: 168.192.2.1
L0:10.20.20.20/32L0:10.10.10.10
E2/0: 168.192.2.2
E0/0: 168.192.0.2
Create loopback interfaces on directly connected ASBRs
!address-family vpnv4neighbor 10.10.10.10 activate neighbor 10.10.10.10 send-community extended !ip route 10.10.10.10 255.255.255 e0/0 168.192.0.1 ip route 10.10.10.10 255.255.255 e2/0 168.192.2.1! Configure /32 static routes to the eBGP neighbor
loopback address
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 19
Inter-AS Security Elements
MD5 Authentication on LDP/BGP Sessions
Apply max prefix
Static Labels
TTL Check to diagnose DoS attacks
Filtering with BGP attributes ASPATH, ext communities, RDs checks, …etc. Set route-maps to filter and send only the desirable prefixes
RT Constraint (filtering)
Customize Route Targets, RT Rewrite
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 20
Route Target Rewrite Example
VPN-A-1 VPN-A-2
PE-1
PE2
CE2
PE-ASBR1
PE-ASBR2
CE-1
AS #1 AS #2
VPN-A
Export RT 100:1
Import RT 100:1
VPN-A
Export RT 200:1
Import RT 200:1
Rewrite RT:200:1->100:1
Rewrite RT:100:1->200:1VPNv4
Exchange
Replace Incoming Update on ASBR2:
ip extcommunity-list 1 permit rt 100:1 ! route-map extmap permit 10 match extcommunity 1 set extcomm-list 1 delete set extcommunity rt 200:1 additive
! route-map extmap permit 20 !neighbor X.X.X.X route-map extmap in
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 21
Inter-AS L3VPN Summary
Three models: Option A, B, and C
Option A is the most secured. Support granular QoS
Option B, less invasive
Option B, only need to know the loopback or interface address of directly connected ASBR
Option C, most scalable, most invasive, mostly deployed in a single service provider’s multi-AS network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 22
I-AS IPv6 VPNsOverview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 23
ASBR1 ASBR2
6VPE1
VPN-R1
CE16VPE2
CE2
VPN-R2
Inter-AS IPv6 VPN
2001:0db8:: 2003:1::
10.10.20.2
AS1 AS210.10.10.110.10.20.1
2003:1:: is reachable via BGP Next Hop = 10.10.20.1 bind BGP label to 2003:1:: (*)
All three ASBR-to-ASBR connectivity options discussed in earlier sections are supported for
-IPv6 Provider Edge Router - 6PE – model (uses vanilla IPv6)
-IPv6 VPN Provider Edge - 6VPE – model (uses option A,B,C)
IPv4 address is used for PE-ASBR and ASBR-ASBR peering
2003:1:: is reachable via BGP Next Hop = 10.10.20.2
10.10.10.2
2003:1:: is reachable via BGP Next Hop = 10.10.20.2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 24
ASBR1 ASBR2
6VPE1
VPN-R1
CE16VPE2
CE2
VPN-R2
Inter-AS IPv6 VPNConfiguration
2001:0db8:: 2003:1::
router bgp 1no bgp default ipv4-unicastno bgp default route-target filter neighbor 20.20.20.2 remote-as 2neighbor 10.10.10.1 remote-as 1 neighbor 10.10.10.1 update-source Loopback1! address-family vpnv6!Peering to ASBR2 over an IPv4 link! neighbor 20.20.20.2 activate neighbor 20.20.20.2 send-community extended !Peering to PE1 over an IPv4 link!neighbor 10.10.10.1 activate neighbor 10.10.10.1 next-hop-self neighbor 10.10.10.1 send-community extended
20.20.20.2AS1 AS210.10.10.1
20.20.20.1
10.10.10.2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 25
Inter-AS L2 VPNs: VPWSI-AS Virtual Private Wire Service: Any Transport over MPLS
Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 26
Inter-AS L2VPNMultiple PW Segments using Option A
Any Transport over MPLS is point-to-point L2VPN service
One PW/AC (AC types: Ethernet, VLAN, PPP, ATM, TDM, FR, HDLC)
Clear demarcation between ASs
PE-ASBR exchange PW (VC) label
Granular QoS control between ASBRs
IP/MPLSAS1
ASBR1 ASBR2
IP/MPLSAS2
..PW2
PW2PE1 PE2
ACAC
CE2CE1
PW1 PW1
AC
PL 40 PL 40 PL 80 PL 80
Pseudowire
PW Label
PL = Payload
T-LDP Peers
T-LDP Peers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 27
Inter-AS L2VPNMulti-Hop PW using Option B
PE and P devices do not learn remote PW endpoint addresses
Only PW endpoint address (ASBR) leaked between ASs
ASBRs swap PW (Virtual Circuit) Label
ASBR1 ASBR2PW1
PW3PE1 PE2PW2
IP/MPLSAS1
IP/MPLSAS2
PL 40 PL 80 PL 80PL 10PL 40
T-LDP Peers
T-LDP Peers
T-LDPPeers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 28
Inter-AS L2VPN Option B—Configuration
!HOSTNAME PE1!interface giga1/0xconnect <ASBR1> 10 encapsulation mpls!
!HOSTNAME PE2!interface giga1/0xconnect <ASBR2> 20 encapsulation mpls!
HOSTNAME ASBR1!pseudowire-class pw-switchencapsulation mpls!l2 vfi pw-switch point-to-pointneighbor <ASBR2> 100 pw-class pw-switchneighbor <PE3> 10 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!! router bgp 1Neighbor <ASBR2-WAN> remote-as 2exit-address-family! *Also announce the loopback address (xconnect ID) of ASBR1in IGP(AS1) and eBGP
HOSTNAME ASBR2!pseudowire-class pw-switchencapsulation mpls!L2 vfi pw-switch point-to-pointneighbor <ASBR1> 100 pw-class pw-switchneighbor <PE4> 20 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!router bgp 2neighbor <ASBR1-WAN> remote-as1exit-address-family! *Also announce the loopback address of ASBR2 in IGP(AS2) and eBGP
ASBR1 ASBR2PW1
PW3PE1 PE2
PW2IP/MPLS
AS1IP/MPLS
AS2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 29
Inter-AS AToM—Option C Single-Hop PW: BGP IPv4+label
Single physical interface between ASBRs
PW endpoint addresses leaked between ASs using eBGPIPv4+label and distributed to PEs using iBGP IPv4+label
PWs are not terminated on ASBRs
Pseudowire
ASBR1 ASBR2PE1 PE2
IP/MPLSAS1
IP/MPLSAS2
T-LDP Peers
1040PL 2040PL 40PL40PL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 30
Inter-AS AToM Option C—Configuration
HOSTNAME ASBR1! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor <PE3> send-labelneighbor <ASBR-2> send-labelexit-address-family!
HOSTNAME ASBR2! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor <PE4> send-labelneighbor <ASBR-1> send-labelexit-address-family!
HOSTNAME PE4!interface Ethernet1/0xconnect <PE3> 100 encapsulation mpls!! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor <ASBR-2> send-labelexit-address-family!
HOSTNAME PE3!interface Ethernet1/0xconnect <PE4> 100 encapsulation mpls! ! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor <ASBR-1> send-labelexit-address-family!
IPv4 + Labels
MPLS AS1
MPLS AS2
ASBR1 ASBR2PE3 PE4
Int eth1/0
Int eth1/0
PE1 PE2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 31
I-AS AToM Key Points
All three I-AS models are supported to carry point-to-point PWs
Transparently forwarding of data
The control word negotiation results must match. The control word is disabled for both segments if either side doesn’t support it.
Per-PW Quality of Service (QoS) is not supported.
Attachment circuit inter-working is not supported.
Traffic Engineering (TE) tunnel selection is supported.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 32
Inter-AS L2 VPNs: VPLSOverview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 33
Virtual Private LAN Service Overview VPLS provides fully meshed L2 connectivity among VPN Sites
VPLS VPN sites may span multiple Domains
PEs aggregating VPN sites in both domains need transparency
Option A, B and C supported to interconnect ASBRs
For Option B, use a switching PW on ASBRs as discussed earlier
PE3
CE4CE3
CE2CE1
CE3
CE1
CE4
CE2
VPLS AS1
VPLS AS2
ASBR1 ASBR2
PE4
PE1 PE2
Exchange Virtual Switching Instance
Database (MAC Addresses, VLAN IDs +
Labels
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 34
PE3
Inter-AS VPLS—Option C Single Hop Pseudowires
Reachability between PEs is provided using eBGP+Labels (Option C discussed earlier)
PWs are transported through ASBRs
Targeted LDP session is formed between PEs
Auto discovery of VPLS VPNs is supported using BGP
Route Distinguisher, Route Target and VPN IDs are used similar way as in MPLS L3 VPNs
RDs don’t have to match across different domains for the same VPLS VPN sites
CE4CE3
CE1CE2
IPv4 + Labels
VPLS AS1
VPLS AS2
ASBR1 ASBR2PE4
PE1 PE2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 35
VPLS BGP Auto Discovery with Inter-AS Option C—Cisco IOS Configuration
PE1
CE4CE1
CE2 VPLS ID: customer1
! Setup VPLS instance, Define discovery method and set vpn iD !HOSTNAME PE3!l2 vfi customer1 autodiscoveryvpn id 100
! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor <ASBR-1> send-labelexit-address-family!
! Setup VPLS instance, Define discovery method and set vpn iD, vpls-id and RT to match the other side. HOSTNAME PE4!l2 vfi customer1 autodiscoveryvpn id 100rd 1:100Route-target both 1:100
! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor <ASBR-2> send-labelexit-address-family!
VPLS AS1
VPLS AS2 VPLS ID:
customer1
PE3:10.0.0.1
PE4
IPv4 + Labels
1. PE3 sends this packet to PE4: 1:100:10.0.0.1/96 RT 1:100 VPLS-id 1:100
2. L2 Subsystem on PE4 decodes it: VPN ID:100, Neighbor LDP-ID: 10.0.0.1 (=NH)
3. PWs are setup using directed LDP session among PEs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 36
Inter-AS mVPNsOverview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 37
Receiver 4
B1
D
A
CE
CE
High bandwidth Multicast Source
Receiver 3
Receiver 2
C
CE
MPLS VPNCore
CE
Receiver 1
BPE
PE
E
PEA
PED
C
Join HighBandwidth Source
Join HighBandwidth Source
CE
DataMDT
For High Bandwidth
Traffic Only.
DefaultMDTFor low
Bandwidth & Control
Traffic Only.
B2
San Francisco
Los Angeles
Dallas
New York
mVPN Concept and Fundamentals—Review
CEs join MPLS Core through provider’s PE devices
PEs perform RPF check on Source to build Default and Data Trees (Multicast Data Trees –MDT)
Interfaces are associated with mVRF
Source-Receivers communicate using mVRFs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 38
I-AS mVPN Requirements
Challenge: Setup Multicast Data Trees across ASs
To form the Default MDT, PE routers must perform an RPF check on the source
The Source address is not shared between ASs
Solution:
Support reverse path forwarding (RPF) check for I-AS sources – P and PE devices
Build I-AS MDTs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 39
PE1 AS #1 AS #2
CE1
VPN-A1VPN-A2
CE4
ASBR1 ASBR2
MDTs
RPF Check with Option B and Option C
Two new components:BGP Connector Attribute (Originating PE) & PIM RPF Vector (ASBR1 in AS1)
For Option B(eBGP between ASBRs): Use BGP Connector Attribute to RPF to source that is reachable via PE router in remote AS
Preserves identity of a PE router originating a VPNv4 Prefix
Receiving PEs in the remote AS use RPF Connector to resolve RPF
For Option B and C: Use PIM RPF Vector to help P routers build an I-AS MDT to Source PEs in remote AS
Leverage BGP MDT SAFI on ASBRs and receiver PEs to insert the RPF Vector needed to build an I-AS MDT to source PEs in remote ASs
P11PE2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 40
PE1 PE2AS #1 AS #2
CE2
VPN-A1
VPN-A2
CE-4
ASBR1
MDTs
I-AS MVPN MDT Establishment for Option B
P11
BGP VPNv4 Update from PE2 to ASBR2RD 1:1, Prefix 152.12.4.0/24 NH PE2, CONN PE2
BGP MDT SAFI Update (Source and Group)RD1:1, Prefix PE2, MDT 232.1.1.1, NH PE2
From ASBR2 to ASBR1RD 1:1, Prefix 152.12.4.0/24 NH ASBR2, CONN PE2
BGP MDT SAFI UpdateRD1:1, Prefix PE2, MDT 232.1.1.1, NH ASBR2
ASBR2
1.
2.
From ASBR1 to PE1RD 1:1, Prefix 152.12.4.0/24 NH ASBR1, CONN PE2
BGP MDT SAFI UpdateRD1:1, Prefix PE2, MDT 232.1.1.1, NH ASBR1
3.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 41
Carrier Supporting Carrier Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 42
Introducing Carrier Supporting Carrier
CSC is one of the VPN services that is applicable in a Multi-AS network environment
CSC VPN service is a VPN service that provides MPLS transport for customers with MPLS networks
It is also known as hierarchical MPLS VPN service since MPLS VPN customer carrier subscribes MPLS VPN service from an MPLS Backbone provider
Defined in RFC 4364. (previously well know by draft 2547biz)
MPLS Backbone
Backbone Service Provider
Customer Carrier ISP1
MPLS NWMPLS NWCustomer Carrier ISP1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 43
Why Carrier Supporting Carrier?
MPLS VPN services offerings by an MPLS VPN backbone provider to customers with MPLS networks
Provide business continuity by extending segmented networks Customer networks include ISP, Carriers, or other enterprise networks
Address scalability issues at the PEs
MPLS-VPN works well for carrying customer IGPsReduce #s of VPN routes carried by a PE by using hierarchical model
Platforms, network scale to N*O(IGP) routes: Internet Routes
Separate Carrier’s Internal routes from external routes eliminating the need to store customer’s external routes
MPLS Backbone
Backbone Service Provider
San FranciscoISP1
LondonISP1
MPLS NWMPLS NW
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 44
Carrier’s Carrier building blocks
MPLS MPLS-VPN enabled Carrier’s backbone
CSC-PE: MPLS VPN PEs located in backbone Carrier’s Core
CSC-CE: Located at the Customer Carrier (ISP/SPs/Enterprise) network edge and connects to a CSC-PE
PE: located in Customer carrier networks & carries customer VPN routes
CSC-RR: Route Reflectors located in MPLS Backbone provider network
RR: Route Reflectors located in Customer Carrier Network
MPLS Label exchange between Carrier’s PE & ISP/SPs CE
MPLS Backbone
CSC-PE1 CSC-PE2
CSC-CE2
Backbone Service Provider
CSC-CE1
San FranciscoISP1
LondonISP1
PE1RR1
PE2
RR2PE4
PE3
MPLSMPLS
CSC-RR1
Customer Carrier1 Customer Carrier1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 45
Carrier’s Carrier building blocks (continue)
External Routes: IP routes from VPN customer networks
Internal Routes: Internal routes (global table) of Customer Carrier network
External routes are stored and exchanged among Customer Carrier PEs
MPLS Backbone network doesn’t have any knowledge of external routes
Customer Carrier selectively provides NLRI to MPLS VPN backbone provider
MPLS Backbone
CSC-PE1 CSC-PE2
CSC-CE2
Backbone Service Provider
CSC-CE1
San Francisco ISP1 London ISP1
PE1RR1
PE2
RR2PE4
PE3
MPLSMPLS
CSC-RR1
CE1R CE1G
VPN Customers
External Routes
External Routes
CE2G CE2R
VPN Customers
External Routes
External Routes
Internal Routes Internal Routes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 46
CSC Building Blocks (continue)
Control Plane configuration is similar to single domain MPLS VPN
CSC-CE to CSC-PE is a VPN link to exchange Customer Carrier’s internal routes. These routes are redistributed into the BSP’s CSC-PE using:
1. Static Routes OR 2. Dynamic IGP OR 3. eBGP
Customer Carriers don’t exchange their Subscribers’ (external) VPN routes with the Backbone Service Provider
CSC-PE-to-CSC-CE links extend Label Switching Path using:1. IGP+LDP2. eBGPv4 + Labels
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 47
Carrier’s Carrier building blocks (continue)
Label Switched paths between CSC-CE and CSC-PE
CSC-PE and CSC-CE exchange MPLS Labels
-this is necessary to transport labeled traffic from a Customer Carrier
IP between CE and PE for VPN customers
MPLS Backbone
CSC-PE1 CSC-PE2 CSC-CE2
Backbone Service Provider
CSC-CE1
San FranciscoISP1
LondonISP1
PE1RR1
PE2
RR2PE4
PE3
MPLSMPLS
CSC-RR1
CE1R CE1G CE2G CE2R
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 48
Carrier Supporting Carrier Models
1. Customer Carrier Is Running IP Only-similar to basic MPLS L3 VPN environment
2. Customer Carrier Is Running MPLS-LSP is established between CSC-CE and CSC-PE
-Customer carrier is VPN subscriber of MPLS VPN backbone provider
3. Customer Carrier Supports MPLS VPNs-LSP is established between CSC-CE and CSC-PE
-Customer carrier is VPN subscriber of MPLS VPN backbone provider
-True hierarchical VPN model
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 49
CSC Model IIICustomer Carrier Supports MPLS VPNs
LSP is extended to CSC-PE, CSC-CE advertises labels for internal routes to CSC-PE; CSC-PE1 performs imposition for site VPNlabel and IGP label
PE swaps the site IGP label with a BB VPN label and push IGPlabel; PHP is now extended to inside of site 2
External and VPNv4 routes are carried by MP-BGP between customer carrier sites
CSC-CE and CSC-PE exchange labels using IGP+LDP or eBGP+Label
MPLS Backbone
Backbone Service Provider
San FranciscoISP1
LondonISP1
MPLS NWMPLS NW
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 50
CSC Model III Routing Exchange
RR1R and RR2R exchange Red VPN site routes
RR1 and RR2 exchange ISP1 site routes
CSC-RR1 updates CSC-PEs
ISP1 adds Subscriber VPN Label which is removed by the remote ISP1 VPNsite
Backbone CSC-PE1 adds backbone VPN label which is removed by backbone CSC-PE2
MPLS Backbone
CSC-PE1 CSC-PE2 CSC-CE2
Backbone Service Provider
CSC-CE1
San FranciscoISP1
LondonISP1
PE1RR1
PE2
RR2PE4
PE3
MPLSMPLS
CSC-RR1
CE1R CE1G CE2G CE2R
RR1RRR2RRR2GRR1G
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 51
LabelLabel=120Label
Label=50
CSC Model III—Customer Carrier Supports MPLS VPNs
IP/MPLSCSC-PE1 CSC-
PE2 IP/MPLS
Label=100
SwapPushPush
Swap Pop
Label
Label=28
Payload
PE1
Site A – VPNASite B – VPN A149.27.2.0/24
CE1CE2
MP-iBGP PeeringVPN-v4 Update:
RD:1:27:149.27.2.0/24,NH=PE2
RT=1:231, Label=(28)
Label=28
Payload
Label=28
PayloadPayload
Label=28
Payload
SwapPush
Label=28
Payload
Pop
Payload
PE2VRF VRFIP/MPLS
VRFVRF CSC-CE2CSC-CE1
CE2-VPN-Label
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 52
CSC Model III with IPv4+Label Cisco IOS Configuration
MPLS Backbone
CSC-PE1200.0.0.4/32
CSC-PE2200.0.0.6/32
GlobalComSan Francisco
GlobalComLondon
GC-CSC-CE1100.0.0.3/32
GC-CSC-CE2100.0.0.7/32
GC-LONPE1100.0.0.8/32
GC-SFPE2100.0.0.2/32
CE-VPN-GC10.1.1.1/32
CE-VPN-B1CE-VPN-A210.1.1.9/32 CE-VPN-B2
BB-P1200.0.0.5/32
192.168.0.x/24192.168.2.x/24
172.16.0.x/24172.16.1.x/24
CSC-PE1#ip vrf GCrd 1:100route-target export 1:100route-target import 1:100!mpls label protocol ldp
CSC-PE1#ip vrf GCrd 1:100route-target export 1:100route-target import 1:100!mpls label protocol ldp
GC-CSC-CE1#!mpls label protocol ldp
GC-CSC-CE2#!mpls label protocol ldp
GC-SFPE2#ip vrf GCrd 1:100route-target export 1:100route-target import 1:100!mpls label protocol ldp
GC-SFPE2#ip vrf VPNArd 1:100route-target export 1:100route-target import 1:100!mpls label protocol ldp
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 53
Customer Carrier A
ASBR1 ASBR2PW1PE1 PE2
ASBR3 ASBR4
MPLS L2VPNs Across a CSC Network
ASBR1 ASBR2
PW1
PE1 PE2ASBR3 ASBR4
Multi-Hop PW
Single-Hop PW Pseudowire
Pseudowire
MPLS Backbone Carrier(CsC)
MPLS Backbone Carrier(CsC)
Customer Carrier A
Customer Carrier A
Customer Carrier A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 54
CSC Security Elements
MD5 authentication on LDP/BGP sessions
Applying max prefix limits per VRF
Use of static labels between CSC-CE and CSC-PE
Route Filtering…Customer Carrier may not want to send all the internal routes to MPLS VPN backbone provider…
Use Route-maps to control route distribution & filter routes
Use match and set capabilities in route-maps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 56
CSC Summary (1)
CSC supports hierarchical VPNs VPNs inside customer carrier’s network are transparent
to the backbone MPLS VPN Service Provider QoS will be honored based on MPLS EXP bits between
CSC-CE and CSC-PE Granular QoS policies should be pre-negotiated and
manually configured Additional supported Services over CSC
MPLS IPV6 VPNsMulticast VPNsMPLS L2 VPNsMPLS TE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 58
Best Practice Recommendations
Do not use Static default routes on CSC-CEEnd-End LSP is required across the VPN and MPLS VPN backbone
Use dynamic protocol instead of static on CSC-CE –CSC-PE link preferably eBGP+IPv4 Labels
Set Next-Hop-Self on PEs carrying external routes
If using IGP on CSC-CE routers, use filters to limit incoming routes from the CSC-PE side
If using RRs in customer carrier network, set next-hop-unchanged on RRs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 59
Overview
I-AS RSVP TE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 60
How MPLS TE Works in a Single Domain
1. Head-end learns network topology information using:
ISIS-TE
OSPF-TE
full view of the topology
2. Path Calculation (CSPF)
3. Path Setup (RSVP-TE):Label_Request (PATH)
Label (RESV)
Explicit_Route Object
Record_Route (Path/RESV)
Session_Attribute (Path)
4. LFIB populated using RSVP labels
5. Packets forwarded onto a tunnel via:Static routed
Autoroute
Policy route
CBTS
Tunnel Select
Forwarding Adjacency
6. Packets follow the tunnel LSP and Not the IGP LSP
TE Headend
TE TailendPATH
PATHPATH
RESV
RESV
RESV
TE Mid points
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 61
Inter-Domain Traffic Engineering
Challenge:
Head end and Tail end are located in different domains
IGP information is not shared between domains
Head end lacks the knowledge of complete network topology to perform path computation
Solution:
Use Explicit Route Object (ERO) Loose Hop Expansion, Node-id, and Path re-evaluation request/reply Flags to provide per-domain path computation at the head-end + RSVP Policy Control and Confidentiality
RFCs: 3209, 4736, 4561, …etc.
draft-ietf-ccamp-inter-domain-rsvp-te-06.txt an
draft-ietf-ccamp-inter-domain-pd-path-comp-05.txt
http://www.cisco.com/go/mpls
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 62
Per-Domain Path Computation Using ERO Loose-Hop Expansion
IP/MPLS ASBR1 ASBR2 IP/MPLS
PE11 PE7
ASBR3 ASBR4
P2
P3
P4
P5
P6
ASBR4 (Loose) PE7 (Loose)
R3, ASBR3, ASBR4PE7 (Loose)
R1 Topology Database
ERO EROExpansion
ERO EROP5, PE7PE7 (Loose)
ASBR4 Topology Database
Expansion
Inter-AS TE LSP
Head-End Defines the Path with ASBR and the Destination as Loose Hops
Path Computation Completed During TE LSP Setup
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 63
Inter-Domain TE—TE LSP Reoptimization
Reoptimization can be timer/event/admin triggered
Head end sets ‘path re-evaluation request’ flag (SESSION_ATTRIBUTE)
Head end receives a PathErr message notification from the boundary router if a preferable path exists
Make-before-break TE LSP setup can be initiated after PathErr notification
IP/MPLS ASBR1 ASBR2 IP/MPLS
PE1 PE7
ASBR3 ASBR4
P2
P3
P4
P5
P6 Inter-AS TE LSP after
reoptimization
Inter-AS TE LSP before
reoptimization
Make before break
Path re-evaluation request Preferable
Path exists
PATH
PathErr
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 64
Inter-Domain TE—Fast Re-Route
Same configuration as single domain scenario
Link and Node protection include ASBRs and ASBR to ASBR links
Support for Node-id sub-object is required to implement ABR/ASBR node protection
Node-id helps point of local repair (PLR) detect a merge point (MP)
Node-id flag defined in draft-ietf-nodeid-subobject
IP/MPLS ASBR1 ASBR2 IP/MPLS
PE1 PE7
ASBR3 ASBR4
P2
P3
P4
P5
P6
Primary TE LSPBackup TE LSP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 65
Inter-Domain TE—Policy Control and Confidentiality
ASBR may enforce a local policy during Inter-AS TE LSPs setup (e.g. limit bandwidth, message types, protection, etc.)
Route Recording may be limited
ASBR may modify source address of messages (PathErr) originated in the AS
ASBR may perform RSVP authentication (MD5/SHA-1)
IP/MPLS ASBR1 ASBR2 IP/MPLS
PE1 PE7
ASBR3 ASBR4
P2
P3
P4
P5
P6
Inter-AS TE LSP
Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 66
Configuring Inter-AS Tunnels (Cisco IOS)
Loose-hop path
List of ASBRsas loose hops
Static route mapping IP traffic to Tunnel1
mpls traffic-eng tunnels
!
interface Tunnel1
ip unnumbered Loopback0
no ip directed-broadcast
tunnel destination 172.31.255.5
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 1000
tunnel mpls traffic-eng path-option 10 explicit name LOOSE-PATH
!
ip route 172.31.255.5 255.255.255.255 Tunnel1
!
ip explicit-path name LOOSE-PATH enable
next-address loose 172.24.255.1
next-address loose 172.31.255.1
!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 67
Configuring Inter-AS TE at ASBR (Cisco IOS)
Process signaling from AS 65016 if FRR not requested and 10M or less
Add ASBR link to TE topology database
Authentication key
Enable RSVP authentication
mpls traffic-eng tunnels!key chain A-ASBR1-keykey 1 key-string 7 151E0E18092F222A
!interface Serial1/0ip address 192.168.0.1 255.255.255.252mpls traffic-eng tunnelsmpls traffic-eng passive-interface nbr-te-id 172.16.255.4 nbr-igp-id ospf 172.16.255.4ip rsvp bandwidthip rsvp authentication key-chain A-ASBR1-keyip rsvp authentication type sha-1ip rsvp authentication
!router bgp 65024no synchronizationbgp log-neighbor-changesneighbor 172.24.255.3 remote-as 65024neighbor 172.24.255.3 update-source Loopback0neighbor 192.168.0.2 remote-as 65016no auto-summary
!ip rsvp policy local origin-as 65016no fast-reroutemaximum bandwidth single 10000forward all
!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 68
Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 69
Let’s Summarize
MPLS VPNs model A, B and C have been deployed to support VPNs among Service Providers and within a single Service Provider’s multi-AS networks
MPLS L2 VPNs, L3VPNs (IPv4, IPv6, and multicast VPNs) are supported in multi-domain environment
MPLS TE is also supported in multi-area or multi-AS networks
QoS policies across the ASBRs need to be agreed by the partners and should be configured manually
Inter-AS: Extending VPN Boundaries
MPLS Backbone Provider
Customer Carrier-B
Customer Carrier-B
Subscriber A Site1
Subscriber A Site1
Subscriber A Site1
Subscriber A Site2
Provider-A Provider-BASBR-A ASBR-B
CSC: Hierarchical VPNs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 70
Meet the Engineer
To make the most of your time at Networkers at Cisco Live 2010, schedule a Face-to-Face Meeting with top Cisco Engineers
Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these Face-to-Face meetings will provide fascinating dialogue and a wealth ofvaluable insights and ideas
Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 72
PE1PE2AS #1 AS #2
ASBR1
I-AS MVPN Configuration Procedure Option B (SSM)
ASBR2
Configuration Steps:1. Enable RPF Vector in the Global table
ip multicast rpf vector2. Setup Multicast Address family on ASBRs
address-family ipv4 mdt3. Configure PE router to send BGP MDT updates to build the Default MDT
ip multicast vrf <vrf name> rpf proxy rd vector
CE-4
! PE1 Configuration:!ip multicast-routingip multicast routing vrf VPN-Aip multicast vrf VPN-A rpf proxy rd vector!router bgp 1!address-family ipv4 mdtneighbor <ASBR1> activateneighbor <ASBR1> next-hop-selfexit-address-family!ip pim ssm default!
! ASBR1 Configuration:!ip multicast-routingip multicast routing vrf VPN-A!router bgp 1!address-family ipv4 mdtneighbor <ASBR2> activateneighbor <PE1> activateneighbor <PE1> next-hop-selfexit-address-family!ip pim ssm default!